Buzzfeed reports that “Twitter user Daniel Dennis Jones — @blanket, at the time — received a notification that his Twitter password had been reset,” and then after seeing his name changed and realizing he’d been hacked, he found his beloved @Blanket up for sale – alongside a BUNCH of other names:

Big deal, he must have had an easy password? Not so fast. According to the hacker (a 14-year-old allegedly only doing this for two weeks), Twitter has a vulnerability that makes it SUPER easy to do this.

You can read his Storified conversation with the hacker here, but the gist of it is this: It really doesn’t matter how complex your password is because Twitter isn’t disabling logon attempts based on account, it disables them based on IP address. So as long as they can attempt to log in from different IP addresses (which they can), they can keep trying to log in to your account till they crack it.

Now, sure – they do also say they use “a program that repeatedly attempts to log in with common passwords,” but if they can fake IP addresses and use more advanced password cracking techniques, none of you are safe. None.